Sign up for our weekly security newsletter

Kelihos Botnet Emerges with Fresh Improvements

In 2012 beginning, bot-herders of the Kelihos botnet reportedly employed one revised form of Kelihos malicious software so the botnet was revived. Then during March same year, although Kaspersky deactivated more than 100,000 bots, still the cyber-criminals couldn't be deterred from making their botnet up-to-date. Now, as per Abuse.ch, a new variant of the bot-network, observed in December 2012, based on a comparison with the March 2012 version has a few noteworthy improvements, publishes softpedia.com dated December 12, 2012.

The foremost change is that Kelihos has moved from the top-level domain .eu to .ru. This was done in the summer. Moreover, the bot-herders own a long Internet sites list where the sites are to dispatch fresh payloads, to make the botnet up-to-date, each one registered via the Russian registrar REGGI-RU. The Kelihos masters, nevertheless, are relying on the Bahamas situated INTERNET.BS registrar for registering the domain-names of the servers supplying Domain Name System resolution for all of the Russian web-domains, that is URLs ending with .ru, harboring malicious software.

Following this, one more change, enforced on 10th October 2012, relates to the new Kelihos' capability towards proliferating itself through removable drives, in particular the USB sticks.

In the meantime, like the previous variant, P2P networks and FastFlux domains keep on getting employed. Further, the same INTERNET.BS registrar is being used in the case of the associated domain name servers.

Kelihos, it appears, unleashes a maximum of 150,000 spambots on a daily basis just like that of Botnet Cutwail that lately sent out spam messages, which installed Gameover, a version of ZeuS the infamous Trojan.

However, to lessen the new Kelihos threat, network administrators are advised to embrace the following steps. First, as Kelihos is utilizing the HTTP platform-related 'port 80' for exchanging messages with P2P networks, all external linkages aiming at port 80 TCP must be restricted. Secondly, one web-proxy should be implemented that can inspect protocols in order to block as well as alert about all non-HTTP traffic, which attempt at passing via the proxy. Thirdly, all Windows programs should be patched. And finally, all outgoing SMTP connections must be restricted.